1

My goal is to make use of GCP's Firestore Python 3 API. I have created a service account and followed the official documentation for the setup. However, any request to Firestore still results in google.api_core.exceptions.PermissionDenied: 403 Missing or insufficient permissions error. I made sure that Firestore database rules allow all reads & writes in Firebase console. I have added both Owner & Cloud Datastore Owner roles to my service account, but to no avail. I have tried providing credentials in 2 ways, neither of which has proven to be successful:

from google.cloud import firestore

# Method #1
import os
os.environ['GOOGLE_APPLICATION_CREDENTIALS'] = os.getcwd() + "/credentials.json"
db = firestore.Client()

# Method #2
from google.oauth2.service_account import Credentials
db = firestore.Client(project="my-project-id",
                      credentials=Credentials.from_service_account_file("credentials.json"))

I have run out of options and would appreciate any help with this problem.

arslancharyev31
  • 1,801
  • 3
  • 21
  • 39
  • 1) Set the environment variable before running the program, not inside. 2) This statement is overwriding your previous settings: `Credentials.from_service_account_file("credentials.json")` Specify the full path to the credentials file. – John Hanley Mar 18 '20 at 15:59
  • 1
    For development, you will want to setup ADC (Application Default Credentials) and not store references to the credentials or manipulate the environment variables in your program. https://www.jhanley.com/google-cloud-application-default-credentials/ – John Hanley Mar 18 '20 at 16:02
  • @JohnHanley, thanks for the suggestions, but it turns out I did not specify the most important part of my issue, which is that I was running this code in a GCP CE VM. My bad. But funny enough, on the VM I don't even have to specify any credentials, it just somehow works. Perhaps VM automatically configures application default credentials on setup? – arslancharyev31 Mar 18 '20 at 20:16
  • 1
    Yes the VM grabs credentials from the Metadata Server. My articles explain this in more detail. Research Compute Engine service accounts. – John Hanley Mar 18 '20 at 20:41

1 Answers1

1

Turns out it matters where you execute this code. I was executing it in the GCP's Compute Engine VM instance and apparently one has to enable the corresponding cloud service in the VM's Cloud API access scopes. This answer in particular has resolved my issue.

arslancharyev31
  • 1,801
  • 3
  • 21
  • 39